SQL Injection
From charlesreid1
Contents
Overview
SQL Injection is a web security vulnerability that allows attackers to execute custom SQL queries by taking advantage of unvalidated inputs.
SQL injections can have a high impact and are easy to carry out, making them one of the most common exploited vulnerabilities.
Cheat Sheet
https://portswigger.net/web-security/sql-injection/cheat-sheet
Types of SQL injection attacks
There are several types of SQL injection attacks:
- Retrieving hidden data
- Subverting application logic
- UNION attacks
- Examining the database
- Blind SQL injection
Notes
Basic SQL injection attack
Start with a hypothetical web application. When you browse to this URL:
https://insecure-website.com/products?category=Gifts
it runs this SQL query:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
(Here, the "released" field indicates products that have been made public.)
If the category name specified by the user is not sanitized, then this web app is vulnerable to SQL injection.
The value we provide for category should start with a single quote, to end the category string variable, followed by a custom SQL query for the server to run.
Here, we add the SQL symbol -- (which makes everything that follows a comment, ignoring the "AND" portion and bypassing the "released=1" condition check.)
https://insecure-website.com/products?category=Gifts'--
This will show all products, including unreleased products.
Or the attacker can and an "OR" and a condition that is always true:
https://insecure-website.com/products?category=Gifts'+OR+1=1--
Subverting application logic
If a login page of a web application is checking for a username and password, it might use the username/password in a query like this:
SELECT * FROM users WHERE username = 'user' AND password = 'nopass'
If user inputs are not sanitized, SQL injection attack is possible.
An SQL injection attack could use the username
administrator'--
which would terminate the SQL query before the "AND" check, bypassing the password check and making any password valid.
It may also take a few attempts - admin, administrator, or specific usernames - don't give up easily
Check for SQL injection vulnerabilities by using single quotes in fields and looking for internal server errors.
Retrieving data from other tables
Also known as a UNION attack, this type of attack uses an SQL injection vulnerability to retrieve data about other tables in the SQL database.
Suppose a web application runs an SQL query using a user-specified category like so:
SELECT name, description FROM products WHERE category = 'Gifts'
In this case, if we run with the category
' UNION SELECT username, password FROM users--
it would cause all usernames and passwords to be returned, in addition to product listings.
(Note, this example is oversimplified - it may take some extra work to craft the right UNION query.)
This type of attack is called a UNION attack. See SQL Injection/UNION Attack
Blind SQL Injection
Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.
Example: tracking cookies to gather analytics. Cookie tracking ID may get fed to an SQL query, but results of query are not returned to the user.
Application behavior will be different though, depending on whether the query returns data or not - if a cookie tracking id is valid, will show "Welcome back"
Utilize that behavior to to exploit SQL injection vulnerabilities
Can check for these types of vulnerabilities by submitting a pair of requests, and seeing different behavior:
…xyz' AND '1'='1
…xyz' AND '1'='2
This can be further exploited, by combining with knowledge of other tables. Example: a table called Users with columns Username and password. Then the following SQL queries will allow determining a password one character at a time:
xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 't xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's